If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

I can understand the reluctancy to shut off System Restore ( assuming it is ME or XP ) on a customerís computer. I have not yet tried deleting specific restore points yet ( never thought of trying it to tell the truth ) but I have seen some maleware which apparently made their own restore files. Unusual thing about them, when System Restore was shut off ( which should to my understanding delete all the existing restore points ) the maleware restore points were still present, but the maleware in the restore point was not picked up when scanning! ( Stupid me, thinking only of how to clean the damn things, never thought to try and find out how they worked. )
AND the restore point would load, even in safe mode!!!!!
( This reminds me of another post I responded too recently, though different maleware. Seems these things keep getting smarter trying to defeat the scanners. )

Just a couple of questions, and I am in no way saying you saw what you say you saw, I am just trying to clarify. First, are you sure that malware was being called from the system restore folder in HJT? The reason I ask is becuase I have been doing malware removal for quite a while, and have never seen this behavior, even with some of the most sophisticated malware. I have done extensive testing, along with a few others, and we have never found a single case where this happens. We have seen malware create directories that 'look' like system restore directories, as well as masquerading as Panda, McAfee, and Sygate though.

Also, HJT does not monitor registry keys having anything to do with system restore, so if anything like that had been showing up in logs, it would have created a bunch of commotion.

It is not unusual for malware to start in safe mode anymore. That only makes it marginally harder to kill, but a pain nevertheless. Self monitoring malware is not all that unusual any more either. And it would neatly explain the behavior you are describing.

Based on my understanding of System Restore, it is only a snapshot of a system at a given time. It is not designed to restore single files. WFP on the other hand does, and has been exploited by Bube, among others.

I'm not saying it can't happen though, just that I have not seen it. Would you happen to remember the infection involved, or by any chance kept a copy of the log?

First, are you sure that malware was being called from the system restore folder in HJT?

Yes, Iím sure. That is why I turned off system restore in the first place. It stuck out to me that HJT would have such an entry too. When I went to the restore folder it was there.

As I said, my understanding of System Restore is that when you shut it off all the restore points are deleted, so that is what I did thinking this would be an easy fix. Rebooted into safe mode, all the restore points were gone but not the file that showed up in HJT, and it could not be deleted.

I didnít take notice of exactly where it was being called from but could watch the temp folder fill up with new processes while it reinstalled itself. Most of the files in the temp folder could be deleted except for the newest ones from the latest system reboot.

As for the particular variant, I donít remember, but it was one that removal tools from Symantic and others existed: none worked. My guess is someone found a new way to deliver and safeguard it, but the registry values that it left behind were the same as in the manual deletion instructions, so after I managed to remove it from the restore folder ( manually using a boot disk and Dosshell ) I was able to clean the registry. ( also searched registry for additional entries but found none. )

I had never seen this before either. The computers where this was seen had no protection ( no maleware detection, no spyware detection, out-of-date anti-virus ) on a broadband connection : typical user!

BTW, this was the last thing on the computers. Prior to this I did the normal; ran Adaware, SpyBot, and Sysclean, all with the latest definitions. The Sysclean picked up two virus, the others cleaned almost 200 instances of maleware including the one that could not be deleted but they made no mention of the restore file.

If I come across it again believe me I will copy it before I do anything else!

" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

I know this situation is closed but I would like to point out the most painstakingly obvious comment as possible... if and when all these tools are run in safe mode, all temp files have been cleared including the prefetch folder which people always seem to forget.... Did you happen to change the website to something else or was the homepage still set letgohome.com?

I have seen even advanced technical ppl accidently look over the obvious forgetting to check the basics.

edit: did I mention to make sure at a minimum your client MUST have SP1 or else they will just get reinfected quicker than you can walk out the door

I would like to point out the most painstakingly obvious comment as possible... Did you happen to change the website to something else or was the homepage still set letgohome.com?

Good point.
Many of the tools we take for granted will indicate a browser hijack attempt, but donít necessarily indicate changes of the default.

Example:
none ( anymore ) balk at my IE homepage of about:blank
None complain at all of my mozilla products custom home pages which were set by the user.

It is always a good idea ( at least I do it ) to ask the owner of the computer a few questions like what home page they usually set up, do they use chat programs, etc., and check it before Iím done. But I always also insist on their original install disks just in case I canít clean it.

" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

You know i might get negged just for posting this lol but im gonna anyway... i just downloaded and used microsoft's anti-spyware beta and it seems to work well... it removed alot of stuff... u might want to go to google and do a search for that sorry i dont have the link.